Cybersecurity is vitally important for legal and financial businesses, especially through emails. As the threats continue to evolve, solutions must also be agile enough to cope.
Cyberthreats are growing for businesses across the board, but for those in the legal and financial sectors it is particularly acute, largely down to the vast swathes of confidential information that they are involved in.
Chris Campbell, lead solutions engineer, EMEA at HackerOne, says that due to stringent compliance with regulations, the financial services industry has to maintain the highest security maturity. “Yet, it remains a prime target for cybercriminals,” he says. “The question emerges – why is the financial sector so susceptible to cyberthreats? As bank robber Willie Sutton said when asked why he robbed banks, ‘because that’s where the money is.’
“Unpatched vulnerabilities are a primary access point for attacks, and when you consider an organisation’s unknown assets and their subsequent unpatched vulnerabilities, the risk is exacerbated.
“In addition, financial organisations increasingly rely on third-party vendors to maintain smooth operations. Rapid digitalisation across the finance industry further heightens exposure to third-party cybersecurity risk. Widespread adoption of multi-cloud infrastructure has expanded the scope of potential targets for cybercriminals.”
Sam Harrison, channel manager EMEA at Kiteworks, agrees: “The movement of more and more confidential data into the digital space and it being regularly exchanged with first and third parties has not gone unnoticed by those with unscrupulous intent,” he says. “This had made the financial industry to continue to be a top target for cybercriminals. In fact, it has got so bad that 96% of financial services organisations tell us that they have experienced four or more exploits of sensitive content communications in the past year alone.”
Common threats
The biggest threat to legal and financial services companies is still phishing attacks, says Durgan Cooper, CETSAT chairman. “Targeting employees to gain access to secure data or to instigate further attacks through clicking links etc,” he says.
He adds that ransomware attacks that aim to lock out companies from their systems until a ransom is paid are also common, as are insider threats, where employees or contractors misuse their access to sensitive information.
Endida’s founder and co-CEO Fiona Whyte, agrees that ransomware that locks and encrypts data, devices and systems rendering a business unable to trade is a big threat. “The legal and financial sector, because of the nature of their business are also susceptible to double extortion where attackers not only encrypt data but also threaten to release it publicly,” she says.
“Data theft is an obvious risk but equally as threatening is an alarming increase of a sophisticated advanced persistent threat attacks involving data tampering that injects or alters data and often go undetected for long periods of time.
“Legal and financial institutions have a strong reliance on third party services such as payment processing and data storage. A breach in a third party’s system (supply chain attack) can lead to compromised security for the institution using that service.”
The acceleration of AI and the software supply chain are creating new vectors of risk that legal and financial cyber teams must adapt to, adds Scott Johnson, VP of product management at Synopsys Software Integrity Group. “AI generated code introduces new threats that challenge the norms of IP laws as well as license compliance usage requirements,” he says.
Changing requirements
This means that cybersecurity solutions are imperative, and there are a range of solutions that legal and financial businesses are now requesting.
“Companies should start with the presumption that they will be targeted and have a comprehensive incident response plan in place, including a consumer notification process especially when sensitive data and financial information is corrupted,” says Spencer Starkey, VP EMEA at SonicWall. “Regulation or industry standards should be put in place to protect consumers and relevant stakeholders from experiencing material damage and ensuring transparency from company officers.”
Durgan says the general trend is towards visibility tools. “Most legal and financial services companies will have good security products in place, however there are often too many systems and alerts coming from these to filter the really bad stuff manually, therefore an increase in security operation centres and analytics tools is on the rise,” he says.
“Coupled with this, threat intelligence feeds are increasingly being subscribed to which provide up to date/real time insights into emerging threats which either target all or industry specific threats.”
Sam adds that private content networks are becoming more common. “A private content network employs a content-defined zero-trust approach that would enable financial services organisations to unify, track, control and secure all their sensitive content communications into one single platform,” he says. “This allows financial services organisations to track and control access to files and folders, who can edit and share them, and to whom and where they can be shared. This could be a game changer as it enables financial firms to ensure private personally identifiable information, intellectual property, client financial records, insurance claims and more to remain private and in compliance with increasingly stringent global regulations.”
Spencer adds: “Legal and financial companies are seeking cybersecurity solutions that offer advanced threat protection, regulatory compliance, data loss prevention and identity and access management. They also prioritise incident response, employee training, cloud security and managed security services to effectively address the evolving threat landscape and safeguard sensitive data.
“Due to the speed at which new attacks are being created, they are more adaptive and difficult to detect, which poses an additional challenge for cybersecurity professionals. From a high-level business perspective, they must look to constantly monitor their network for suspicious activity, using security tools to detect where logins are occurring and on what devices. The sooner teams can flag a potential issue, the lower the risk of an attack. As a result, there will be a greater demand for tools that can harness the power of AI to detect and respond to smarter threats in real-time.”
Regulatory concerns
Andrew Pattison, head of GRC consultancy Europe at IT Governance Europe, says that businesses must prioritise flexible cybersecurity solutions to secure remote access to corporate networks and devices, employing measures like multifactor authentication and staff training.
“Additionally, real-time monitoring and threat intelligence are essential for detecting and mitigating security risks promptly,” he says. “For instance, financial entities in the EU and those providing ICT services to them, must be compliant to the EU Digital Operational Resilience Act (DORA) by 2025. This legislation aims to bolster cybersecurity by outlining security requirements, contractual arrangements, and oversight frameworks for financial entities and their third-party ICT service providers across all 27 member states.
“To navigate this regulatory landscape and enhance their cybersecurity posture, businesses can leverage standards like ISO 27001 and ISO 22301. These frameworks offer structured approaches to adapting to evolving threats while ensuring compliance with regulations such as DORA. By adopting a risk-based strategy and proactively implementing measures outlined in these standards, legal and financial enterprises can bolster their operational resilience, protect sensitive data and mitigate cyberthreats.”
Ethical hackers
Meanwhile, Chris says that engaging the global community of ethical hackers is one of the best resources to keep ahead of cybercriminals. “This is because ethical hackers find the most elusive and technically sophisticated vulnerabilities, which often fall beyond the scope of automated defences to ensure the safety of customer data,” he says.
“Hackers’ skill sets diverge markedly from that of a typical IT professional. They have the distinct advantage of a hackers’ mindset – the ability to think outside the box and look at systems the same way a malicious outsider would. This enables them to spot vulnerabilities that typical cybersecurity professionals may overlook.
“Most financial services industry leaders already working with ethical hackers agree that an internal security team can never replicate the creativity and man-hours being put in by ethical hackers on a bug bounty platform, who specialise in all kinds of areas.”
Hugh Simpson, EMEA marketing development manager at Zyxel Networks, says that the cybersecurity needs of financial and legal professionals don’t differ much from those of other organisations. “Most companies in these sectors are small or mid-sized firms with have no real in-house IT expertise and limited budgets, so what these businesses need is enterprise level protection at SMB prices – and that’s exactly what we deliver with our unified security gateway family and through our Nebula cloud management.”
Email concerns
One of the most important areas of security concern for legal and financial companies is email. As Rachel White, MSP manager at VIPRE Security Group, notes, email remains the preferred vehicle of cybercriminals. “An analysis of over seven billion emails processed by VIPRE worldwide during 2023 highlighted that financial services (22%) were the most targeted sector by phishing and malspam emails,” she says.
“Across sectors, email-delivered malware remains a favourite, increasing by 276% between January and December of last year. Additionally, attachments are growing as a threat. For instance, in Q4 of 2023, EML attachments increased 10-fold. Criminals are sending malicious payloads via EML files because they get overlooked when attached to the actual phishing email, which comes out clean. All these findings are potentially reflective of the financial services and legal sectors.”
To combat this, for legal and financial firms of all sizes – but especially smaller ones – layering on advanced email security and email threat protection is a necessity, Rachel adds. “Most professional services organisations tend to rely on Microsoft for email security, but in the current environment, the standard security safeguards offered by Microsoft are inadequate,” she says. “This is not to say that Microsoft isn’t focused on security – it’s just that ‘email security’, which is now a specialised area of security, is only a component of Microsoft’s overall security.
“For example, unless a firm is purchasing Microsoft’s top-tier security package – which is expensive – the lower-tier licenses lack critical protections against impersonation and zero-day threats. Criminals exploit these gaps, knowing that firms prioritise cost savings through license selection.
“Also, Microsoft uses third-party security intelligence feeds, which means that by nature, they are static. So, a delay between the company’s intelligence feed and security on the platform being updated could mean that an unattended threat (even for a day or two) could cause a successful zero-day attack. Firms need to adopt techniques like Link Isolation, which renders malicious URLs in emails and their associated web pages harmless. Similarly, to check for malicious attachments, sandboxing capability is a must, where the suspicious file is isolated in a ‘sandbox’ – i.e., a virtual machine in the cloud.
“Similarly, for time-poor lawyers and finance professionals, layering on additional safeguards that prevent misaddressed emails is valuable, especially given that these individuals frequently share and exchange highly confidential and sensitive information.
“Specialist email security solutions package all these capabilities to provide tailored and comprehensive measures. Firms in highly targeted sectors, such as legal and financial services, need to allocate budgets to robust and layered email security measures. Neglecting email security is a high-risk approach. If there’s a budget leftover, it should go into training staff to be the organisation’s human firewall!”
Hybrid influence
Another potential security risk is posed by hybrid working, although as Fiona notes, legal and financial businesses have generally been conservative when it comes to remote working due to the sensitive nature of their data.
“Extending the security perimeter beyond the traditional office environment will expand organisations attack surface, especially when it comes to accessing and sharing data,” says Fiona. “However, we are seeing a high rate of adoption of cybersecurity platforms that can significantly reduce these risks such as zero trust network access, end point detection and response, multifactor authentication, security awareness training for employees, especially around phishing and implementing robust access control policies.”
Tyler Moffitt, senior security analyst at OpenText Cybersecurity, adds that hybrid working models have introduced complex security challenges, primarily around data access and network security. “Legal and financial firms have had to quickly adapt by implementing secure remote access solutions, such as VPNs and multi-factor authentication, to ensure that both on-premise and remote environments are secure. Effective cybersecurity now requires a layered defence strategy that secures endpoints, networks and cloud services, adapting to wherever employees are working.”
Richard Hughes, head of technical cyber at A&O IT Group, adds that employees are more susceptible to social engineering attacks when working remotely. “There is far more reliance on endpoint protection solutions given the layers of defence that are not available remotely,” he says. “During the COVID pandemic, solutions for remote working were rushed in but organisation are revisiting these decisions and with hindsight deploying more robust solutions for their hybrid workforce.”
Kevin Reed, CISO at cyber security company Acronis, agrees, adding that the social disconnect may affect people engagement and even loyalty. “I am not saying that employees will cooperate with criminals and become an insider threat, but for example, having a side gig may introduce software on the client, such as a VPN client, that would violate corporate policies,” he says.
Agility is crucial
With the threat landscape constantly changing and cybercriminals evolving their tactics, security measures need to be agile for legal and financial businesses.
“But many organisations continue to take a reactive approach to security only fixing issues as they are discovered during testing and so security assessments once or twice a year can leave then exposed,” says Richard. “Businesses should look to work with security firms that will keep them appraised of new threats as they arise and not wait for the next round of testing.”
Spencer adds that a proactive and flexible approach to cybersecurity is required. “This should include regular security assessments, threat intelligence, vulnerability management and incident response planning,” he says. “It also requires ongoing training and awareness programs to ensure that employees are aware of the latest threats and best practices for cybersecurity. By maintaining agile and up to date cybersecurity arrangements, companies can minimise their risk exposure, detect and respond to threats more effectively, and maintain the trust and confidence of their customers and stakeholders.”
Fiona warns that cybercriminals are harnessing the power of AI to deploy more sophisticated attacks. “So using next generation AI-based cybersecurity platforms will instantly put an organisation ahead of the curve as they are able to autonomous keep up with new threats,” she says. “In conjunction, regular pen testing is the only foolproof way to test that a cybersecurity solution gives the right level of protection and enables users to fix any weaknesses.”
All this means that legal and financial businesses need channel partners. “More than ever, they are looking for partners that understand their business that can then expand current solutions to help manage the new threat vectors while at the same time providing new innovative technologies in place that address the challenges that AI and securing the software supply chain present,” says Scott. “For example, traditional software composition analysis must provide AI protections for licensing risks while at the same time expanding to support managing SBOMs. The preference being the evolution of tools to address the challenges versus the need to add in new point products.”
